Lab 3.1 - Dynamic Analysis

Make sure that your analysis VM is NOT connected to the internet at this point.
Take a snapshot before you start this lab.
Make a few copies of the sample before you start this lab.

Part 1

Step 1

Step 2

Debugging

Start x32dbg and open the sample in the debugger.

Let the file load.

Execution will be halted once it reaches system breakpoint.

At this point, hit the ‘Run’ button at the top.

The process will continue running and will execute to exit. Debugging will stop at this point.

You will find that the process is now gone and also, the sample file has been deleted from the disk.

Part 1 of this lab is now complete. You executed the file through the debugger and it ran to exit. You are now ready for the second part.

Part 2

Step 1

Click on file and select ‘attach’ from the menu.

You should see a newly created process with a file path different to where your samples are saved. Generally, there should only be one at this point.
Select this process and click ‘attach’.

At this point you can pause the process if its running.

Go the ‘Symbols’ tab and look for the ‘wininet.dll’ module. Select this module.

On the right section, scroll down to ‘InternetConnectW’ function and select it.

Press F2 or right-click and put a breakpoint at this function.

Go back to the CPU tab and hit ‘Run’ again.

The Process should run and halt at the breakpoint that we set earlier.

Although not part of this section of the labs, you should be able to see the C2 at this point when you look at the CPU section.

Run ‘Scylla’ at this point.

It should open up in a new window.

Follow these steps in Scylla:

Select the process being debugged from the dropdown (do it again if already selected)

  1. Click on IAT Autosearch
  2. Click ‘Yes’ on the warning
  3. Click ‘Ok’ on the ‘IAT found’
  4. Click on ‘Get Imports’

Imports section should now show the imports. If not, something has gone wrong, start again.

  1. Click on ‘Dump’ and save the new file to Desktop
  2. Click on ‘Fix Dump’ - Select the file you saved the last step and Scylla will ‘fix’ it and save it again as shown in the image below (with a ‘_SCY’ suffix)

Close out Scylla.

Close out x32dbg.

This lab is now complete. You should now have a new version of the malware sample.